CRITICAL🇵🇱 Wersja polska

CVE-2021-35402

CVSS 10.0v3.1pub. 2026-02-20upd. 2026-04-15

PROLiNK PRC2402M 20190909 before 2021-06-13 allows live_api.cgi?page=satellite_list OS command injection via shell metacharacters in the ip parameter (for satellite_status).

🤖 AI Analysis
How it works

The vulnerability occurs in the live_api.cgi script during handling of a request with the page=satellite_list parameter. The ip parameter, passed in the context of the satellite_status function, is not properly validated or sanitized. An attacker can inject shell metacharacters (such as semicolons, pipes, backticks) directly into the ip parameter, resulting in the execution of arbitrary system commands by the shell interpreter on the device.

Impact

A remote, unauthenticated attacker can gain full control over the device, read or modify its configuration, and use it as an entry point for further actions in the local network.

Mitigation & patch

Update the PROLiNK PRC2402M device firmware to a version released after 2021-06-13. Details are available in the manufacturer's references and in the security advisory at https://starlabs.sg/advisories/21/21-35402/. Until the update is applied, it is recommended to isolate the device management panel from the public network or untrusted network segments.

Who is affected

PROLiNK PRC2402M with firmware dated 20190909, released before 2021-06-13

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Command Injection
CWE
References